From 5bb076a30b3aa32b4055cd18cfedbdf520dffccb Mon Sep 17 00:00:00 2001 From: dmiller Date: Thu, 19 Nov 2015 18:19:59 +0000 Subject: [PATCH] Update todo and done files with completed tasks --- todo/done.txt | 39 ++++++++++++++++++++++++++++++++ todo/nmap.txt | 62 ++------------------------------------------------- 2 files changed, 41 insertions(+), 60 deletions(-) diff --git a/todo/done.txt b/todo/done.txt index e7a258b4b..d6ed5690d 100644 --- a/todo/done.txt +++ b/todo/done.txt @@ -1,5 +1,44 @@ DONE: +o Augment the configure script to list unmet dependencies. Currently, configure + works just fine without a C++ compiler installed, but make generates an + error. The configure script should be able to detect this. Also, a list of + features that are/are-not available would be nice at the end of the script, + so folks can see that they've e.g. missed the OpenSSL dependency. + +o Add parallel IPv6 reverse DNS support (right now we use the system + functions). + +o [Ncat] This may sound ridiculous, but I'm starting to think that + Ncat should offer a very simple built-in http server (e.g. for simply + sharing files, etc.) And maybe a simple client too. (Done via --lua-exec and + the httpd.lua script shipped with Ncat) + +o INFRASTRUCTURE: Add IPv6 support to secwiki + - We probably just have to designate a new IPv6 address for it and + add it to Apache config. + +o [INFRASTRUCTURE] Improve our main web server http configuration to + better handle high load situations and DoS attacks. As part of + this, we may have to raise the max client limits. But then there is + a risk of running out of RAM, which can be even worse. So we need + to figure out a good balance. + +o Migrate web.insecure.org to a RHEL-6 derived distro (probably CENTOS + 6, since Linode doesn't currently offer ScientificLinux images). + o Actually, if we can wait until "second half of 2013", we might be + able to jump straight to RHEL 7. And RHEL 5 support looks like it + will go on for many more years for critical/security patches. + o Maybe start with svn server, since we've had reports of our + current one giving people unexpected password prompts. There is a + thread about that at http://seclists.org/nmap-dev/2012/q2/17 + o UPDATE on this - adding read-only rights (rather than no rights) + to the root of the svn repo seems to have solved this problem. + +o Make Windows 8.1 VM with VS 2013 and do more testing of Nmap compilation/running + +o Make and test build on a newer OS X than 10.6 (10.10 was recently released) + o Adopt an issue tracking system for Nmap and related tools. We should probably look at our needs and options and then decide on and either install it on our own infrastructure or use it hosted elsewhere. diff --git a/todo/nmap.txt b/todo/nmap.txt index 5e94aa502..22310ab4d 100644 --- a/todo/nmap.txt +++ b/todo/nmap.txt @@ -1,18 +1,5 @@ TODO $Id: TODO 11866 2009-01-24 23:10:05Z fyodor $ -*-text-*- -o Finish the version detection submission integration - -o Do the very latest Nmap IPv4 OS detection (last was done with - snapshot from May). - -o Make sure the new version detection sigs have appropriate CPE’s. - -o Integrate latest IPv6 OS detection submissions and corrections - -o Make Windows 8.1 VM with VS 2013 and do more testing of Nmap compilation/running - -o Make and test build on a newer OS X than 10.6 (10.10 was recently released) - o Deal with our out-of-date CA root certificate bundle by either using OS-specific mechanisms and/or updating the latest from Mozilla or another source. See http://seclists.org/nmap-dev/2014/q4/200 @@ -30,16 +17,6 @@ o Figure out what nmap-update is doing for SSL certificate o Audit ncat's ssl algorithm and ciphersuite choices -o Do a test/beta release (more, if necessary) - -o Make sure people have tested on Mac OS 10.10 - -o Do CHANGELOG for new release[Fyodor] - -o Web updates for new release - -o Build and post new release - ==Items we need to finish before next big release go above this line== o Make Ncat avoid linking with libpcap even when it's available. Currently this @@ -114,14 +91,6 @@ o Consider using a binary decision diagram for --exclude list to make it more efficient for large exclude lists. See http://seclists.org/nmap-dev/2012/q4/420. -o Augment the configure script to list unmet dependencies. Currently, configure - works just fine without a C++ compiler installed, but make generates an - error. The configure script should be able to detect this. Also, a list of - features that are/are-not available would be nice at the end of the script, - so folks can see that they've e.g. missed the OpenSSL dependency. - -o Integrate latest version detection submissions and corrections - o Look into moving our Mac building/testing system into a virtual machine or leased server sort of environment so that multiple Nmap developers can access it and nobody has to keep a stack of Mac Minis @@ -152,10 +121,6 @@ o Make CONCURRENCY_LIMIT in nse_main.lua at least the min-parallelism. Otherwise NSE is limited to 1000 socket-using threads even if you've requested more. -o INFRASTRUCTURE: Add IPv6 support to secwiki - - We probably just have to designate a new IPv6 address for it and - add it to Apache config. - o INFRASTRUCTURE: Consider updating our svn-mailer.py (and conf file) to the latest official version. First check whether there is a later official version and whether it has material changes. We're @@ -211,7 +176,7 @@ o Our http library should allow the client to specify a max size in o NSE digest auth should use the more robust parsing from http.parse_www_authenticate as described at http://seclists.org/nmap-dev/2012/q3/868 - + o Treat the input to the escape function in xml.cc as UTF-8, not just ASCII. Good UTF-8 should survive into the output; i.e., "\xe2\x98\xbb" should become "\xe2\x98\xbb" in the output, not "☻". @@ -260,12 +225,6 @@ o Test a hierarchical classifier for IPv6 OS detection. Our classifier suspect playing it by ear will be sufficient. Talk to David for more of his thinking on this topic. -o [INFRASTRUCTURE] Improve our main web server http configuration to - better handle high load situations and DoS attacks. As part of - this, we may have to raise the max client limits. But then there is - a risk of running out of RAM, which can be even worse. So we need - to figure out a good balance. - o Maybe we should rename dns-brute to dns-brute-enum since it is so different from our traditional brute force authentication cracking -brute scripts? @@ -286,17 +245,6 @@ o Revive the Nmap Public Source License project (need to find an open o Also take close look at Mozilla's license modernization project: http://mpl.mozilla.org/scope/ -o Migrate web.insecure.org to a RHEL-6 derived distro (probably CENTOS - 6, since Linode doesn't currently offer ScientificLinux images). - o Actually, if we can wait until "second half of 2013", we might be - able to jump straight to RHEL 7. And RHEL 5 support looks like it - will go on for many more years for critical/security patches. - o Maybe start with svn server, since we've had reports of our - current one giving people unexpected password prompts. There is a - thread about that at http://seclists.org/nmap-dev/2012/q2/17 - o UPDATE on this - adding read-only rights (rather than no rights) - to the root of the svn repo seems to have solved this problem. - o Maybe we should add an analysis or reporting or intelligence (or different name) for our NSE scripts which don't send any packets, but simply analyze Nmap's existing data and report when useful. @@ -410,9 +358,6 @@ o [NSE] Consider a system where scripts can tell if any other scripts snmp-interfaces could store the discovered table if another script (such as a mac address geolocator script) depends on it. -o Add parallel IPv6 reverse DNS support (right now we use the system - functions). - o [NSE] Consider whether we need script.db for performance reasons at all or should just read through all the scripts and parse on the fly. See: [http://seclists.org/nmap-dev/2009/q2/0221.html] @@ -540,6 +485,7 @@ o Start project to make Nmap a Featured Article on Wikipedia. o Add Nmap web board/forum - First step is looking at the available software for this. + - Nmap subreddit exists: https://www.reddit.com/r/nmap o [Zenmap] Consider a couple ideas from Norris Carden (http://seclists.org/nmap-dev/2010/q2/228): @@ -607,10 +553,6 @@ o Consider rethinking Nmap's -s* syntax for specifing scan types o Do -p- Internet UDP scans. -o [Ncat] This may sound ridiculous, but I'm starting to think that - Ncat should offer a very simple built-in http server (e.g. for simply - sharing files, etc.) And maybe a simple client too. - o Scanning through proxies o Nmap should be able to scan through proxy servers, particularly now that we have an NSE script for detectiong open proxies and now that